Packet-based networks transmit information from a source to a destination using finite-length datagrams, each comprising one or more nested headers and a data payload. For instance, a packet requested by the destination's web browser, for source and destination computers on the same “Ethernet” local network, could contain at each point on its journey (viewed from the head of the packet): an “Ethernet” header, specifying the immediate frame destination; an Internet Protocol (IP) header, specifying the IP addresses of the source and ultimate destination; a Transport Control Protocol (TCP) header, specifying a pre-existing TCP connection between the source and destination, and a HyperText Transfer Protocol (HTTP) header with an attached HTTP payload. Each nested header must conform to its corresponding protocol if the source expects the packet to pass through the network to the destination in a normal fashion.
A typical network-processing device handles packets with many, many different protocols, although a device may not process higher-level (i.e., more deeply nested) protocols when the device merely forwards the packet. Errors in protocol implementations sometimes introduce weak points in an otherwise sound specification. These errors can cause failure during packet transport, and therefore failure of services using that protocol. Also, malicious entities may attempt to misuse protocol features to degrade the performance of—or even bring down—a network processing device or network segment. As node throughput increases, and network processing devices move to distributed-processing architectures to cope with higher throughput, it becomes more and more difficult to monitor, detect, and respond to inadvertent or malicious traffic anomalies for traffic passing through a node.